Many organizations seem to believe that their IT equipment is valuable. They spend inordinate amounts of money applying security to their servers, storage, network switches, and appliances and then assume that, as they have done this, they are suddenly a secure company. Even where there is an understanding that hardware security is not enough, the focus simply shifts to application and database security.
Then something like bring your own device (BYOD) comes along and throws all of this into disarray. The device isn’t the organization’s; it isn’t connected over an end-to-end corporate network; the apps can be (and are) downloaded from an app store that the organization has no control over.
It is increasingly difficult for an organization to draw a line around itself and say “this is us”; the need to share information up and down a value chain of customers and suppliers now means that such borders between steps of a process are becoming less clear.
And herein lies the eternal problem for an IT group — IT-based security is never going to work. Instead, what is needed is IT-facilitated security.
If you look at what makes a successful organization, it is not great IT; it is not even great products, nor is it great employees; it is the successful utilization of its intellectual property (IP). But where does that intellectual property come from?
In a world of big data, it should come from the effective aggregation, filtering, and analysis of a large base of mixed data sources — which can include everything from data held in formal databases, through in-house Office documents, to web searches and subscription-based services. It also needs to allow for information coming in from the value chain, as well as the humans along this chain.
Without the right means for filtering and analysis, the data remains just that: a massive great store of ones and zeroes that take up a lot of space and maintenance in the data center for no visible business benefit. Once filtering and basic analysis are applied, the data becomes information — the platform for intellectual property.
With advanced analysis, the information becomes knowledge. When fed to the right people, this knowledge can lead to the right decisions being made at the right time, which then creates business value and so to a more successful company.
Any loss of information or knowledge based on poor security could lead to a competitor being able to steal your IP, or even to a valuable patent being lost due to prior disclosure. IP can be exceedingly valuable; look at the recent acquisitions by the likes of Google, Microsoft, and IBM where it was the patent library of a failing company that was seen as having the value.
So, what does this mean for IT security? Standard approaches to IT security as mentioned above only work when you have control over the hardware and applications. New approaches are needed — ones that focus on the IP, not the IT.
By focusing on the information, a different view can be taken. What happens if that piece of information “escapes” outside of the value chain? Well, if it is the company canteen menu, not much. If it is the latest details on possible acquisitions, it could be very harmful.
Information needs to be classified. Once it is classified (even something as simple as Public/Commercial/Secret), actions can be taken against it. For example, a Secret document that is attached to an email can be quarantined by data leak prevention (DLP) tools so that it doesn’t go where it shouldn’t. A Commercial document can be timed so that unless a new certificate is provided by a central digital rights management (DRM) system, it will encrypt or securely erase itself after 4 hours. All of this is predicated on understanding the context of any access, as well as on the identity of the person who is attempting to access the information. To this extent, identity becomes the new perimeter; identify what has to be kept safe within that perimeter, and approach as described in Quocirca’s report.
By taking an information-centric approach to security, the IT becomes just a platform; the security embraces new approaches and can operate across boundaries, enabling the organization to work in a more effective manner.
It is time to ditch IT security and move to IP security. Your organization will thank you for doing it.